The Federal Trade Commission had the first of three privacy roundtables yesterday, and I spoke on a panel about online targeted behavioral advertising. The other speakers on the panel were: Jeff Chester, Executive Director, Center for Digital Democracy; Dave Morgan, CEO, Simulmedia, Inc.; Zoë Strickland, Vice President, Chief Privacy Officer, Walmart; Berin Szoka, Director, Center for Internet Freedom, The Progress & Freedom Foundation; Omar Tawakol, CEO, BlueKai; Craig Wills, Associate Professor, Computer Science, Worcester Polytechnic Institute; and Linda Woolley, Executive Vice President, Government Affairs, Direct Marketing Association. Moderators: Peder Magee and Michelle Rosenthal, Division of Privacy and Identity Protection, FTC.
A New York Times article on the roundtable quoted me about a fundamental issue that divides industry and consumer advocates: opt-in or opt-out. Opt-in, the choice of consumer advocates, puts the burden on companies to have strong privacy protections and use limitations so consumers will choose to share their data. Opt-out, the choice of the majority of ad industry players, puts the burden on consumers to learn about what the privacy policies are, whether they protect consumer data, whom the data is shared with and for what purpose, and how to opt-out of this data collection, use and sharing.
I’ve written a lot about online targeted behavioral advertising and the possible risks for consumer privacy. Behavioral advertising, where a user’s online activity is tracked so that ads can be served based on the user’s behavior. Often, consumers do not understand they are being tracked or have a false belief in the security of their data. In September, the New York Times reported on a new survey (pdf) from researchers at the University of Pennsylvania and the University of California-Berkeley that found consumer confusion about how, when or if their data is protected. “Americans mistakenly believe that current government laws restrict companies from selling wide‐ranging data about them. When asked true‐false questions about companies’ rights to share and sell information about their activities online and off, respondents on average answer only 1.5 of 5 online laws and 1.7 of the 4 offline laws correctly because they falsely assume government regulations prohibit the sale of data.”
Even people knowledgeable about privacy laws are confused by privacy policies. In an August 2009 interview with the New York Times, FTC Bureau of Consumer Protection Director David Vladeck said, “I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these [notice and consent disclosure forms] mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it.”
And consumers don’t want to be tracked. The Penn-Berkeley study found, “Contrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interests. Moreover, when Americans are informed of three common ways that marketers gather data about people in order to tailor ads, even higher percentages — between 73% and 86% — say they would not want such advertising.”
In April, University of Southern California’s Center for the Digital Future found in its eighth annual “Surveying the Digital Future” project (pdf) that “almost all respondents continue to report some level of concern about the privacy of their personal information when or if they buy on the Internet.” Ninety-three percent of respondents “reported some level of concern about the privacy of personal information (somewhat, very, or extremely concerned).
U.S. lawmakers have called for new rules to protect Web site users’ privacy, and the online behavioral advertising industry has agreed to new, voluntary regulations — that still fall short in privacy protections.
I have joined a coalition of consumer advocacy organizations in urging Congress to enact legislation to protect consumer privacy in response to threats from the growing practices of online behavioral tracking and targeting. We need strong privacy-protective federal legislation, which will not preempt state privacy laws. The legislation needs to be based on the Fair Information Practices and OECD Principles: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.
And there needs to be a much better definition of “sensitive data” than the definition set out by the industry groups (pdf). The principles ask industry members not to collect “sensitive data,” which the industry construes as (1) “personal information” of children under age 13 and (2) “financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about a specific individual.” The principles do allow for the collection and use of the second category – health and financial data – if a user consents to the collection and use.
The industry’s self-regulatory principles would permit widespread data collection involving personal information regarding our health and financial concerns based on consent that is gathered via complicated privacy notices and the user consent is most likely to be unknowing or confused. Sensitive data include at least data about health, finances, ethnicity, race, sexual orientation, personal relationships and political activity.
Among the main points that the coalition of consumer advocacy groups said should be included in consumer privacy legislation:
- Sensitive information should not be collected or used for behavioral tracking or targeting.
- No behavioral data should be collected or used from anyone under age 18 to the extent that age can be inferred.
- Web sites and ad networks shouldn’t be able to collect or use behavioral data for more than 24 hours without getting the individual’s affirmative consent.
- Behavioral data shouldn’t be used to unfairly discriminate against people or in any way that would affect an individual’s credit, education, employment, insurance, or access to government benefits.